New rules for GDPR and the transfer of personal data to the USA

It is very important that the requirements of GDPR are complied with when we enter into agreements for services where personal data is transferred. Now the rules for the transfer of personal data to the USA are becoming less strict.

Easier from July 10th

After the European Court of Justice handed down the Schrems II judgment in 2020, it has been very difficult to legally transfer personal data to the USA. This has also had consequences for UiO when we have to enter into agreements with American service providers or services that use American subcontractors.

However, on July 10th this year, the European Commission adopted a new framework, the EU-US Data Privacy Framework, which once again makes it easier to transfer personal data to the USA. In practice, the agreement means that the EU has assessed that US legislation and practice are no longer problematic for transfer to the US, provided the company is on a list of companies that have approved the framework.

List of companies which have approved the framework

You can search which companies have approved the framework here: Participant Search (dataprivacyframework.gov)

Large and important suppliers for UiO are on the list, such as Google, Amazon and Microsoft. In practice, this means that it is now easier to enter into agreements with a cloud service that, for example, has Azure or AWS as a subcontractor. It is worth noting that it has also become easier to transfer personal data to the US even if a business is not on the list.

Privacy assessments are still needed

While this makes transferring to the US much easier, it does not mean that there are no restrictions. The general requirements in the Personal Data Protection Regulation still apply. This means that we must still enter into data processing agreements, carry out ROS analyzes and have a conscious approach to which data we transfer. We must also have a conscious approach to whether a supplier shares our personal data with other countries outside the EU/EEA.

UiO's process for approving new IT services in research and teaching is still in force: Hvordan ta i bruk en ny tjeneste i undervisning eller forskning - Universitetet i Oslo (uio.no). The process is described in Norwegian only.

What happens going forward?

It is also somewhat uncertain what will happen in the future. Max Schrems has already stated that he will challenge the validity of the new framework, so there is a possibility that in a few years there will be a Schrems III ruling that will again make it difficult to use US service providers.

Read more on the Norwegian Data Protection Authority's website: Nye regler for overf?ring av personopplysninger til USA | Datatilsynet (In Norwegian only)

 

Published Aug. 17, 2023 9:51 AM - Last modified Aug. 17, 2023 9:51 AM